{"id":"https://openalex.org/W7116670301","doi":"https://doi.org/10.3390/make8010002","title":"Enhancing GNN Explanations for Malware Detection with Dual Subgraph Matching","display_name":"Enhancing GNN Explanations for Malware Detection with Dual Subgraph Matching","publication_year":2025,"publication_date":"2025-12-21","ids":{"openalex":"https://openalex.org/W7116670301","doi":"https://doi.org/10.3390/make8010002"},"language":"en","primary_location":{"id":"doi:10.3390/make8010002","is_oa":true,"landing_page_url":"https://doi.org/10.3390/make8010002","pdf_url":"https://www.mdpi.com/2504-4990/8/1/2/pdf?version=1766395209","source":{"id":"https://openalex.org/S4210213891","display_name":"Machine Learning and Knowledge Extraction","issn_l":"2504-4990","issn":["2504-4990"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning and Knowledge Extraction","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://www.mdpi.com/2504-4990/8/1/2/pdf?version=1766395209","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5095782617","display_name":"Hossein Shokouhinejad","orcid":"https://orcid.org/0009-0001-6342-2740"},"institutions":[{"id":"https://openalex.org/I106938459","display_name":"University of New Brunswick","ror":"https://ror.org/05nkf0n29","country_code":"CA","type":"education","lineage":["https://openalex.org/I106938459"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Hossein Shokouhinejad","raw_affiliation_strings":["Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"],"raw_orcid":"https://orcid.org/0009-0001-6342-2740","affiliations":[{"raw_affiliation_string":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada","institution_ids":["https://openalex.org/I106938459"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5019749887","display_name":"Roozbeh Razavi\u2010Far","orcid":null},"institutions":[{"id":"https://openalex.org/I106938459","display_name":"University of New Brunswick","ror":"https://ror.org/05nkf0n29","country_code":"CA","type":"education","lineage":["https://openalex.org/I106938459"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Roozbeh Razavi-Far","raw_affiliation_strings":["Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"],"raw_orcid":"https://orcid.org/0000-0002-4330-3656","affiliations":[{"raw_affiliation_string":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada","institution_ids":["https://openalex.org/I106938459"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5114151097","display_name":"Griffin Higgins","orcid":"https://orcid.org/0009-0001-2494-8360"},"institutions":[{"id":"https://openalex.org/I106938459","display_name":"University of New Brunswick","ror":"https://ror.org/05nkf0n29","country_code":"CA","type":"education","lineage":["https://openalex.org/I106938459"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Griffin Higgins","raw_affiliation_strings":["Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"],"raw_orcid":"https://orcid.org/0009-0001-2494-8360","affiliations":[{"raw_affiliation_string":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada","institution_ids":["https://openalex.org/I106938459"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5120999449","display_name":"Ali A. Ghorbani","orcid":null},"institutions":[{"id":"https://openalex.org/I106938459","display_name":"University of New Brunswick","ror":"https://ror.org/05nkf0n29","country_code":"CA","type":"education","lineage":["https://openalex.org/I106938459"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Ali A. Ghorbani","raw_affiliation_strings":["Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"],"raw_orcid":"https://orcid.org/0000-0001-9189-6268","affiliations":[{"raw_affiliation_string":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada","institution_ids":["https://openalex.org/I106938459"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5019749887","https://openalex.org/A5095782617"],"corresponding_institution_ids":["https://openalex.org/I106938459"],"apc_list":{"value":1400,"currency":"CHF","value_usd":1515},"apc_paid":{"value":1400,"currency":"CHF","value_usd":1515},"fwci":1.2312,"has_fulltext":true,"cited_by_count":1,"citation_normalized_percentile":{"value":0.85233769,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":96,"max":98},"biblio":{"volume":"8","issue":"1","first_page":"2","last_page":"2"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.2619999945163727,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.2619999945163727,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11273","display_name":"Advanced Graph Neural Networks","score":0.22300000488758087,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.1745000034570694,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.6794999837875366},{"id":"https://openalex.org/keywords/discriminative-model","display_name":"Discriminative model","score":0.6355000138282776},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.5130000114440918},{"id":"https://openalex.org/keywords/generalization","display_name":"Generalization","score":0.5080999732017517},{"id":"https://openalex.org/keywords/matching","display_name":"Matching (statistics)","score":0.49790000915527344},{"id":"https://openalex.org/keywords/dual","display_name":"Dual (grammatical number)","score":0.4284999966621399},{"id":"https://openalex.org/keywords/subgraph-isomorphism-problem","display_name":"Subgraph isomorphism problem","score":0.40529999136924744},{"id":"https://openalex.org/keywords/control-flow-graph","display_name":"Control flow graph","score":0.4002000093460083}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7457000017166138},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.6794999837875366},{"id":"https://openalex.org/C97931131","wikidata":"https://www.wikidata.org/wiki/Q5282087","display_name":"Discriminative model","level":2,"score":0.6355000138282776},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5516999959945679},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.5130000114440918},{"id":"https://openalex.org/C177148314","wikidata":"https://www.wikidata.org/wiki/Q170084","display_name":"Generalization","level":2,"score":0.5080999732017517},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.49790000915527344},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4700999855995178},{"id":"https://openalex.org/C2780980858","wikidata":"https://www.wikidata.org/wiki/Q110022","display_name":"Dual (grammatical number)","level":2,"score":0.4284999966621399},{"id":"https://openalex.org/C131992880","wikidata":"https://www.wikidata.org/wiki/Q2528185","display_name":"Subgraph isomorphism problem","level":3,"score":0.40529999136924744},{"id":"https://openalex.org/C27458966","wikidata":"https://www.wikidata.org/wiki/Q1187693","display_name":"Control flow graph","level":2,"score":0.4002000093460083},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.3944999873638153},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.37529999017715454},{"id":"https://openalex.org/C101468663","wikidata":"https://www.wikidata.org/wiki/Q1620158","display_name":"Modular design","level":2,"score":0.364300012588501},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.3222000002861023},{"id":"https://openalex.org/C168725872","wikidata":"https://www.wikidata.org/wiki/Q991663","display_name":"Sophistication","level":2,"score":0.3070000112056732},{"id":"https://openalex.org/C70437156","wikidata":"https://www.wikidata.org/wiki/Q7228652","display_name":"Pooling","level":2,"score":0.2921999990940094},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.2897000014781952},{"id":"https://openalex.org/C204241405","wikidata":"https://www.wikidata.org/wiki/Q461499","display_name":"Transformation (genetics)","level":3,"score":0.26980000734329224},{"id":"https://openalex.org/C61455927","wikidata":"https://www.wikidata.org/wiki/Q1030529","display_name":"Blossom algorithm","level":3,"score":0.26269999146461487},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.2572000026702881}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.3390/make8010002","is_oa":true,"landing_page_url":"https://doi.org/10.3390/make8010002","pdf_url":"https://www.mdpi.com/2504-4990/8/1/2/pdf?version=1766395209","source":{"id":"https://openalex.org/S4210213891","display_name":"Machine Learning and Knowledge Extraction","issn_l":"2504-4990","issn":["2504-4990"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning and Knowledge Extraction","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:6a65ac3b00724c78bae882e35b015292","is_oa":true,"landing_page_url":"https://doaj.org/article/6a65ac3b00724c78bae882e35b015292","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Machine Learning and Knowledge Extraction, Vol 8, Iss 1, p 2 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.3390/make8010002","is_oa":true,"landing_page_url":"https://doi.org/10.3390/make8010002","pdf_url":"https://www.mdpi.com/2504-4990/8/1/2/pdf?version=1766395209","source":{"id":"https://openalex.org/S4210213891","display_name":"Machine Learning and Knowledge Extraction","issn_l":"2504-4990","issn":["2504-4990"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning and Knowledge Extraction","raw_type":"journal-article"},"sustainable_development_goals":[{"score":0.7092604637145996,"id":"https://metadata.un.org/sdg/10","display_name":"Reduced inequalities"}],"awards":[],"funders":[],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7116670301.pdf","grobid_xml":"https://content.openalex.org/works/W7116670301.grobid-xml"},"referenced_works_count":24,"referenced_works":["https://openalex.org/W2091939272","https://openalex.org/W2126359798","https://openalex.org/W2147405597","https://openalex.org/W2514974017","https://openalex.org/W2574017551","https://openalex.org/W2608355501","https://openalex.org/W3178593045","https://openalex.org/W4226294137","https://openalex.org/W4285059789","https://openalex.org/W4287849792","https://openalex.org/W4292820477","https://openalex.org/W4385336663","https://openalex.org/W4386216135","https://openalex.org/W4386852161","https://openalex.org/W4390619961","https://openalex.org/W4391886995","https://openalex.org/W4392303153","https://openalex.org/W4392697189","https://openalex.org/W4394862626","https://openalex.org/W4400623754","https://openalex.org/W4404638618","https://openalex.org/W4405105257","https://openalex.org/W4410629757","https://openalex.org/W4413324272"],"related_works":[],"abstract_inverted_index":{"The":[0,84],"increasing":[1,121],"sophistication":[2],"of":[3,9,16,44,109],"malware":[4,59,169],"has":[5],"challenged":[6],"the":[7,14,26,81,107,110,135,155],"effectiveness":[8],"conventional":[10],"detection":[11,40,60],"techniques,":[12],"motivating":[13],"adoption":[15],"Graph":[17],"Neural":[18],"Networks":[19],"(GNNs)":[20],"for":[21],"their":[22,42,47],"ability":[23],"to":[24,98,124,160],"model":[25],"structural":[27],"and":[28,80,88],"semantic":[29],"information":[30],"embedded":[31],"in":[32,49,167],"control":[33],"flow":[34],"graphs.":[35],"While":[36],"GNNs":[37],"offer":[38],"high":[39,139],"performance,":[41],"lack":[43],"transparency":[45],"limits":[46],"applicability":[48],"security-critical":[50],"domains.":[51],"To":[52,105],"address":[53],"this,":[54],"we":[55,114],"present":[56],"an":[57],"explainable":[58,148],"framework,":[61],"which":[62,94],"contains":[63],"a":[64,71,75],"dual":[65,68],"explainer.":[66],"This":[67],"explainer":[69,73],"integrates":[70],"GNN":[72],"with":[74,152],"neural":[76,111],"subgraph":[77,112,122,153],"matching":[78,126],"approach":[79],"VF2":[82],"algorithm.":[83],"proposed":[85,136,156],"method":[86],"identifies":[87],"verifies":[89],"discriminative":[90],"subgraphs":[91],"during":[92],"training,":[93],"are":[95],"later":[96],"used":[97],"explain":[99],"new":[100],"predictions":[101],"through":[102],"efficient":[103],"matching.":[104],"enhance":[106],"generalization":[108],"matcher,":[113],"train":[115],"it":[116],"using":[117],"curriculum":[118],"learning,":[119],"gradually":[120],"complexity":[123],"improve":[125],"quality.":[127],"Experimental":[128],"evaluations":[129],"on":[130],"benchmark":[131],"datasets":[132],"demonstrate":[133],"that":[134],"framework":[137,157],"retains":[138],"classification":[140],"accuracy":[141],"while":[142],"significantly":[143],"improving":[144],"interpretability.":[145],"By":[146],"unifying":[147],"graph":[149],"learning":[150],"techniques":[151],"matching,":[154],"enables":[158],"analysts":[159],"gain":[161],"actionable":[162],"insights,":[163],"fostering":[164],"greater":[165],"trust":[166],"GNN-based":[168],"detectors.":[170]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-05-06T08:25:59.206177","created_date":"2025-12-22T00:00:00"}